Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity
a17f9f5250
qusal/salt/qubes-builder/files/admin/policy/default.policy
Ben Grande a17f9f5250 feat: unattended qubes-builder build 
Split-gpg2 allows to isolate GPG home directories. In the future,
enforcing this setting via drop-in configuration would be safer, depends
on https://github.com/QubesOS/qubes-issues/issues/8792.
2024-01-05 17:24:14 +01:00

28 lines
1.4 KiB
Plaintext
Raw Blame History

# SPDX-FileCopyrightText: 2023 The Qubes OS Project <https://www.qubes-os.org>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitPush +qubes-builder {{ sls_path }} @default ask target=sys-git default_target=sys-git
qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny
admin.vm.CreateDisposable * {{ sls_path }} dom0 allow
admin.vm.CreateDisposable * {{ sls_path }} dvm-qubes-builder allow target=dom0
admin.vm.Start * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=dom0
admin.vm.Kill * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=dom0
qubesbuilder.FileCopyIn * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
qubesbuilder.FileCopyOut * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
qubes.WaitForSession * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
qubes.VMShell * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
## vim:ft=qrexecpolicy
Reference in New Issue View Git Blame Copy Permalink